Correct PPTP server firewall rules chain.

[tomato/davidwu.git] / release / src / router / libnfsidmap / ChangeLog

2004-08-05: started
2004-09-16: add debian stuff to dist tarball
2004-12-16:
conf_path is defined as a global in cfg.c.  Use that one here.
2006-02-24:
- Changes originally from Steve Dickson to fix library logging and debugging.
Add externally visible routine to set debugging level and logging routine.
Change all warnx() calls to use new IDMAP_LOG macro.
- In the umich_ldap code, move calls to ldap_init() and ldap_bind() into
a subroutine.  Don't do a bind since it isn't necessary for LDAPv3.
- Change libtool versioning to reflect interface change.
2006-02-24:
Don't use Verbosity from config file.
2006-03-21:
- Properly detect error returns from getpwnam_r() and handle them.

- Parse and use the "Nobody-User" and "Nobody-Group" entries from the
idmapd.conf file.

- If a translation fails, always attempt to return information for
the "nobody" user or group (as defined above).

- Add changes from Daniel Wachdorf <drwachd@sandia.gov>.
These changes in the umich_ldap code:
- allow configurable parameters to map objectclass names and attribute names
- allow configurable use of SLL to connect to the LDAP server
- allow configuration of a user DN and password to do an authenticated
bind to the LDAP server.

NOTE: These changes change the way to define an alternate subtree
to search for People and Group objects.  A full DN should be specified
for "LDAP_people_base" or "LDAP_group_base".  The *_subtree options
are no longer used.

- Add an example idmapd.conf file to the distribution (original from Dan).

- Minor updates to the libtest program, which is now included in the
distribution.
2006-04-20:
Don't do "nobody" mapping in the library.  Return -ENOENT if unable
to do the requested mapping.  Caller can then take the appropriate
action regarding the mapping failure.
2006-09-05:
Patch from Mike Frysinger <vapier@gentoo.org>, to allow libnfsidmap
to be built without requiring ldap.
2006-11-02:
Patch from Glenn Machin <GMachin@sandia.gov> to honor the buffer
size in umich_id_to_name() before copying name into buffer.

Fix a few memory leaks.
2007-01-19:
A patch from Glenn Machin <GMachin@sandia.gov>:

There is also a problem with a 32 element subgroup. Given that a user
can be in 30 to 150 groups here at Sandia we need to have some way to
select the groups to use and not just hope the group in the ACE is one
of the users first 32. So additional filtering is needed.  So attached
is a patch to umich_ldap.c and libtest.c which does a number of things.
All are controlled via attributes in the idmapd.conf file.

Below is an explanation of the features:

1) LDAP_use_memberof_for_groups (default is false)

Setting this value to true changes the way
umich_gss_princ_to_grouplist() goes about getting subgroup gids from the
directory. When set to true the account memberof attributes are used to
identify the user's groups, then each group is looked up to get the gid.
The idmapd.conf attribute "NFSv4_member_of_attr = memberof"  specifies
the person attribute to use to get the list of groups.

2)  NFSv4_grouplist_filter  (default is NULL)

This feature allows the admin to add a filter to
umich_gss_princ_to_grouplist() when searching for the list of groups.
This feature helps with the 32 group subgroup limit. Groups can be
tagged with an attribute which this filter can use to restrict the
groups to be used by the NFS server.  For instance we can tag groups
with the attribute snlResource and have values set for specific services
and machines. So for example if I set NFSv4_grouplist_filter to the
value "(|(snlResource=machine:vmtest1)(snlResource=central_svc:CSTR))"

I can restrict the groups to only those groups associated with the
machine vmtest1 or the central service CSTR. This speeds up the search
when LDAP_use_memberof_for_groups is false.  In fact this feature is
more valuable than LDAP_use_memberof_for_groups so if you need to pick
one to support I would ask you to consider this one.


3)   LDAP_timeout_seconds  (default is 4)

The allows you to change the tv_sec timeout used for the
ldapsearch_st calls.

2008-07-30:

Changes since libnfsidmap-0.20:

The main library has been changed to load "plugin" libraries to
perform the mappings.  This decouples the main library from any ldap
(and sasl, etc.) dependencies.

Several translation methods (plugins) may now be specified in the
idmapd.conf file.  While a plugin returns -ENOENT, the next is called
until a mapping is found, or there are no more plugins to try.

A "static" mapping plugin from David Härdeman <david@hardeman.nu> has
been added.

A "gums" mapping plugin from Olga Kornievskaia <aglo@citi.umich.edu>
has been added.  Olga also did most of the work to convert the code to
use this new plugin architecture.

The interface is changed to add two new functions,
nfs4_gss_princ_to_ids_ex(), and nfs4_gss_princ_to_grouplist_ex() which
allow extra information to be passed to these mapping functions.

2009-07-29:

Changes since libnfsidmap-0.21:

From Steve Dickson <SteveD@redhat.com>:
Allows mappings to be correct "right out of the box" when DNS is
set up correctly and stops idmapper from dying when there is
no domain name set.

Move the default processing for the "Local-Realm" config option
into the main config file processing function and adds missing
documentation for the previously added configuration option.

From Steve Dickson <SteveD@redhat.com>:
Print a debug log message "when the krb5 realm can not be used since
it does not match the DNS domain name or the 'Local-Realm' variable
defined in /etc/idmad.conf"

Move the idmapd.conf manpage from nfs-utils and update it to match
the current functionality.

2009-08-26:

Changes since libnfsidmap-0.22 (which was never officially announced):

From Guillaume Rousse <Guillaume.Rousse@inria.fr>:
Changes to install, and look for, the plugin libraries in a separate
libnfsidmap directory.

2010-12-08:

Changes since libnfsidmap-0.23

Added autogen.sh which runs all the autoconfig scripts
Added a .gitignore file

From Bryan Schumaker <bjschuma@netapp.com>
Added nfs4_owner interfaces which are used by the
new nfsidmap program